# Security for Hackers & Devs: Reverse Engineeirng
***
# Module 1
* Tools to deobfuscate higher level languages

| Tool      | Language |
| ----------- | ----------- |
| .Net      | [dnSpy](https://github.com/0xd4d/dnSpy)       |
| .Net   | [Decompiler (Jetbrains)](https://jetbrains.com/decompiler/)        |
Java | [Bytecode Viewer](http://bytecodeviewer.com)
Javascript | [jsdetox](https://github.com/svent/jsdetox/)
Flash | [Flash decompiler](https://www.free-decompiler.com/flash/download/)


# Module 2

## General Purpose Registers

| 64-bit | 32-bit | 16-bit | 8-bit
| -------- | -------- | ------- | ----- |
rax	| eax | ax:ah | al
rbx	| ebx | bx:bh | bl
rcx	| ecx | cx:ch | cl
rdx	| edx | dx:dh | dl
rsp | esp
rbp | ebp
rdi | edi
rsi | esi
rip | eip | ip
      |  | eflags | flags
r8 | r8d | r8w | r8b
r15 | r15d | r15w | r15b

* R typically represents 64-bit
* E typically represents 32-bit
* ESP & RSP - stack pointer, used to reference the top of the stack
* EBP & RBP - base pointer, used to set up & keep track of things in function call or a stack frame
* ESI, EDI, RDI - Used for string movs or data movs
* EIP, RIP, IP - Points to next executable instruction
* eflags & flags -
* r8-r15 - general register purpose


## Floating Point Unit (FPU):
* Gives chip the ability to handle real numbers
* 80486 & up use fully integrated x87 functionality onto the chip
* Each x87 register, known as ST(0) through ST(7), is 80 bits wide & stores numbers in the IEEE floating-point standard double extended precision format
* These registers are organized as a stack with ST(0) at the top
* ST0 must always be 1 of the 2 operands, regardless of whether the other operand is ST(X) or a memory operand


## Common Instructions
| instruct.| Funct. |
| ------------| ----------|
mov | moves content from source to destination (syntax: mov dest, source)
lea | loads effective address (load register, add numbers, generally meant to initalize a ptr)
jmp | jump
jne | jump if not equal
jg | jump if greater than
call | unconditional function call
ret | returns from a function to the caller
add | adds 2 values
sub | subtracts 2 values
xor | XORs 2 values (EX: xor eax, eax has the same effect as zeroing out eax)
cmp | compares 2 registers via subtraction
test | logically *and* two operands together

## Flags
| flag | funct. |
| ------ | ------- |
C | carry flag, holds a carry or a borrow
P | parity flag, rarely used
A | auxiliary flag used with DAA & DAS
Z | zero flag
sign | sign flag
O | overflow flag
D | direction, used w/strings to make sure you're copying from beginning to end or the reverse
I | interrupt (interrupt on/off)
T | trace flag (trace on/off)


# Module 3

## Signed vs Unsigned Comparisons:

x86 has a simple way of differentiating signed vs unsigned comparisons:

* above/below indicates an unsigned comparison, **EX**: JAE (JNB, JNC)/JBE (JNA) means Jump if above/below or equal and is unsigned. These use the carry flag
* greater/less than indicates a signed comparison, **EX**: JGE (JNL)/JLE (JNG) is signed. These use the sign, zero, or overflow flag

## Function Calling Conventions:

**Cdecl**

* most common, especially on UNIX
* params are received in reverse order
* caller unwinds stack

[img example](http://notabug.org/s4ve/security-for-hackers-n-devs/src/master/imgs/cdecl.png)

**Stdcall**

* common on Windows
* params are received in reverse order
* function unwinds stack


[img example](http://notabug.org/s4ve/security-for-hackers-n-devs/src/master/imgs/stdcall.png)


**Fastcall**

* higher performance, stack isn't used
* first two parameters are passed over registers
* no need to unwind stack


[img example](http://notabug.org/s4ve/security-for-hackers-n-devs/src/master/imgs/fastcall.png)


## Finding Main:

* 3 pushes and a call toward the bottom of _start can signify (the 3 pushes being argc, argv, & envp)
* Sometimes an argument passed to a function that looks like _start_main


# Module 5

## Flirting & Flaring

* helps w/statically compiled & stripped binaries

**FLARE - Fast Library Acquisition for Identification & Recognition**

* examines a library file & creates signature for each exported function
* you can feed these signatures to match functions in the binary

**Flirt - Fast Library Identification & Recognition Techology**

1. Identify the static library used. Try the *file* utility to identify the OS or use the *strings* to identify the used library. Once the library is identified, download it.
2. Use the appropriate library parser to create a "pattern" file, syntax: **parser - lib - output .pat file**.EX: pelf.exe libssl.a libssl.pat
3. Create signatures from patterns. *Sigmake* utility reads pattern files & generates .sig files. 


* **NOTE** that sometimes there are collisions in the functions & two different functions create the same signature. If this occurs, sigmake generates an exclusions (.exc) file. All exclusions must be manually resolved, then rerun until no more issues are left.